GDPR: A new data protection landscape for multichannel retailers

For nearly twenty years EU data protection laws have remained fairly static, despite the rise of the digital era and the boom in ‘big data’. But in January this year the European Commission took a big step towards implementing a major reform that will make Europe ‘fit for the digital age’.

The publication of its agreed text for the EU’s new General Data Protection Regulation (GDPR) puts an end to the patchwork of data protection rules that currently exist across 28 member states. Ensuring European citizens will get the same data protection rights, regardless of where their data is processed.

Due to come into force in 2018, the GDPR will deliver a unified data protection law for Europe’s 500 million citizens, ushering in an era of greater accountability and significantly increased transparency and controls for individuals to exercise management of their data. And that means the rules and regulations that govern how merchants, retailers and their partners capture, store, share and process customer and staff data are about to change.

GDPR – The key facts

The GDPR will affect any business that collects and uses data from European citizens, regardless of whether that organisation is established in the EU or not. Representing a huge change in the way businesses must approach data, those able to adapt quickly to the GDPR will reap benefits down the line.

In essence, GDPR gives EU citizens more control over their personal data. Making it far easier for individual to access and manage it, delete it (the ‘right to be forgotten’), transfer it between providers, and have more information around how it is processed. Furthermore, consumers must explicitly consent to the use of their data.

The GDPR also sets out common standards for data protection, establishing the right for consumers to have their personal data kept safe, the right to complain and gain redress if their data is misused, and the right to know if their data has been hacked.

The way data breaches are reported will also change. Companies suffering a breach with data protection implications will have 72 hours to report it to the local information commissioners, unless this personal data is unreadable or in an inaccessible state – in other words, encrypted.

Offering stronger personal data protection for consumers, the GDPR is indisputably good news for EU citizens. But it has clear and significant implications for any organisation involved in the multichannel retail chain – including merchants, retailers and their financial services partners - when you consider that non-compliant businesses risk fines of up to 4 per cent of global turnover.

GDPR – Clearer rules for business

In today’s digital economy, personal data has acquired enormous significance. The GDPR will establish one single set of rules that will make it simpler and, it could be argued, cheaper for companies to do business in the EU.

For businesses in the multichannel retail chain, it will be far easier to comply with one set of rules and deal with the varying requirements of 28 EU member states. However, data protection will need to be implemented by design and default in the roll-out of new services and technology. In the future, personal data will need to have a defined lifecycle and internal structures will need to be in place to assure compliance with GDPR requirements. What’s more, companies based outside of Europe will need to apply the same rules when offering services in the EU.

The draft GDPR regulation also outlines that large businesses – those with more than 250 employees – and organisations whose core activities consist of processing operations will be required to appoint dedicated data protection officers.

While payment service providers are already strongly regulated by PCI and other data protection measures, they will also need to evaluate their compliance with the new laws. Many of these providers are looking at introducing value-added services to protect data accordingly and which will reduce the investment effort for merchants. Other ways in which the industry is looking to support customers include mandatory policies and procedures, data breach test plans, and implementing joint obligations and liabilities for data controllers and data processors.

Preparing for GDPR – Top tips

The countdown to GDPR has begun and merchants, retailers and their payment partners now have a two year window to re-examine their processes and procedures to ensure compliance. Preparations need to begin now, and organisations should not underestimate the investment needed to implement these new rules:

GDPR should be a board level task – The GDPR governs how brands process individuals’ data across all EU member countries and most organisations now face a considerable amount of work to align their IT governance and data protection programmes with the new regulatory demands. This is a corporate governance issue – and being unprepared is not an option. The huge penalties outlined in the draft GDPR for the violation of certain provisions should be a wake-up call for top management at companies to pay more attention to privacy and provide the resources and funding needed to ensure GDPR compliance.

Embrace the concept of privacy by design – Clear policies will need to be in place to prove your organisation meets the required standards and you will need to ensure that privacy by design requirements are included in all make and buy strategies going forward. Documentation will need to be prepared and kept up-to-date.

Breach notification – Put in place clear policies and well practiced procedures to ensure you can react quickly to any data breach and notify in time when required. Carefully review your organisation’s incident detection, management and response capabilities and ensure corporate legal teams have updated processes to ensure breaches can be reported without being held up due to overly complex internal workflows.

Tackle ‘Rights’ and ‘Consent’ head on – Check your privacy notices and policies are transparent, easily accessible and fulfill a consumer’s right to be forgotten, right to erasure, and right to data portability. If you obtain data processing services from a third party, determine and document your respective responsibilities. As an organisation you will also need to demonstrate that customers have validly consented to the processing of their data.

Recruitment and training – If your organisation employs over 250 employees you will need to appoint a data protection officer. Furthermore, the GDPR requires that all personnel with permanent or regular access to personal data must have appropriate data protection training.

Following four years of negotiations, the EU GDPR is at last in its final stages and will be ratified by the European Council in early 2016. Despite this, many organisations have yet to prepare for its implementation, putting in place the required tools, processes, people, training and technology to ensure they will be compliant with both regulatory and customer demands.

Andre Malinowski, head of international business at payment services provider Computop